CVE-2023-50269 SQUID-2023:10 Denial of Service in HTTP Request parsing

2023-12-1417:09:25

CWE-674

GitHub_M

www.cve.org

squid

http request

dos vulnerability

uncontrolled recursion

x-forwarded-for

patch

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

8.5 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.4%

JSON

Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid’s patch archives.

CNA Affected

[
  {
    "vendor": "squid-cache",
    "product": "squid",
    "versions": [
      {
        "version": ">= 2.6, <= 2.7.STABLE9",
        "status": "affected"
      },
      {
        "version": ">= 3.1, <= 5.9",
        "status": "affected"
      },
      {
        "version": ">= 6.0.1, < 6.6",
        "status": "affected"
      }
    ]
  }
]